You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@hc.apache.org by bu...@apache.org on 2003/03/11 17:29:47 UTC

DO NOT REPLY [Bug 17884] New: - Multiple DIGEST authentication attempts with same credentials

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=17884>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=17884

Multiple DIGEST authentication attempts with same credentials

           Summary: Multiple DIGEST authentication attempts with same
                    credentials
           Product: Commons
           Version: 1.0 Alpha
          Platform: All
        OS/Version: Other
            Status: NEW
          Severity: Major
          Priority: Other
         Component: HttpClient
        AssignedTo: commons-httpclient-dev@jakarta.apache.org
        ReportedBy: olegk@apache.org


HttpMethodBase's processAuthenticationResponse uses a set of realms to which
attempts to authenticate have already been made. The elements of the set are a
concatenation of the requested path and the value of the Authentication response
header.

For digest authentication this response header contains a nonce value, which is
uniquely generated by the server each time a 401 response is made. This makes it
impossible to recognize that authentication against this realm has been
attempted before and so all 100 attempts are made before returning. The nonce
should probably not be used in the realmsUsed element

Reported by Rob Owen <Ro...@sas.com>